Duqu May Actually Be An Advanced Cyber Weapon

An article in ISSSource asserts that analysis of the Duqu malware indicates that the code was most likely "developed by a team of highly skilled programmers who worked full time."

The implication here is that Duqu may have been produced by a team that is nation-state supported.

"That finding falls in place with the ISSSource report last week that learned American and Israeli officials are heading a team effort to perfect the new Stuxnet worm, called Duqu, that may be able to bring down Iran’s entire software networks if the Iranian regime gets too close to breakout, U.S. intelligence sources said," the ISSSource article states.

On October 14th, Symantec was sent a sample of malware which was subsequently dubbed "Duqu", and caused quite a stir because of its similarity to the infamous Stuxnet virus, yet the payload and purpose showed that Duqu was a totally new creation.

Stuxnet is a highly sophisticated designer-virus that wreaks havoc with SCADA systems which provide operations control for critical infrastructure and production networks, and the initial attacks are thought to have caused severe damage to Iranian uranium enrichment facilities, setting back the nation's nuclear weapons program by as much as several years.

While Duqu is similar in may respects to Stuxnet, other research team have concluded that its main purpose is to harvest data, not affect physical control systems such as those impacted by Stuxnet.

NSS researchers Mohamed Saher and Matthew Molinyawe have concluded that Duqu is the first modular plugin rootkit ever identified in the wild, and the sophisticated nature of the malware code leads them to believe that development would have required a significant amount of resource.

“Given the complexity of the system (solid driver code plus impressive system architecture) it is not possible for this to have been written by a single person, nor by a team of part-time amateurs. The implication is that, given the requirement for multiple man-years of effort, that this has been produced by a disciplined, well-funded team of competent coders,” wrote Saher and Molinyawe.

NSS has designed a scanning tool that can be used to identify as yet undiscovered Duqu drivers that may be infecting systems.

“We hope the research community can use this tool to discover new drivers and would ask that any samples be provided to NSS researchers (anonymously if preferred) in order to aid us in understanding more about the threat posed by Duqu,” the researchers continued.

The researchers are working under the assumption that Duqu is still in development, and that the authors are working to perfect the malware prior to unleashing its full potential - such as the delivery of a potentially devastating payload.

“There is no possible explanation for the production of such a sophisticated and elegant system merely to steal the information that has been targeted so far. Why go to all this trouble to deploy a simple key-logger? Given that there are additional drivers waiting to be discovered, we can liken Duqu to a sophisticated rocket launcher – we have yet to see the real ammunition appear," Saher and Molinyawe contend.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.